Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Assignment Presentation
ON
SYSTEM ENUMERATION TCP/UDP PORT
Instructor:
Mr Bashi
INTRODUCTION
Enumeration
Enumeration is the first attack on target network; Enumeration is a process to gather the information about user names, machine names, network resources, shares and services ; Enumeration makes a fixed active connection to a system
Although File Transfer Protocol (FTP) is becoming less common on the Internet, connecting to and examining the content of FTP repositories remains one of the simplest and potentially lucrative enumeration techniques. Weve seen many public web servers that used FTP for uploading web content, providing an easy vector for uploading malicious executables. Typically, the availability of easily accessible file-sharing services quickly becomes widespread knowledge, and public FTP sites end up hosting sensitive and potentially embarrassing content. Even worse, many such sites are configured for anonymous access
CMD Command : There are many cmd commands which are more EFFECTIVE in local area connections than windows OS :) net use : (Works only in xp and 2000) syntax : net use \\<ip address>\IPC$ ""/u:"" Example : net use \\192.168.2.2\IPS$ ""/u:"" Defn : It connects to its hidden inner process communication (IPS$) of 192.168.2.2 with build in anonymous user (u:) with a null password ("")
Techniques (Continue )
nbtstat : (tested and worked ) Syntax : nbtstat -A<ip address> Example : nbtstat -A<192.168.2.4> Use : Will get the NetBIOS information and MAC address of the system FTP Enumeration syntax : ftp <ftp servername> Example : ftp ftp.gnuplot.info
Techniques (Continue )
telnet Syantax : telnet <URL/IP> <port number> Example : telnet www.csice.edu.in 80 (http port number) Use : connect to a server PORT NUMBER http 80 ftp 21 telnet 23 smtp 25 dns 53 tftp 69 finger 79 NetBios 137
Super Scan
IP Tools - It gave information about local info- examines the local host and shows info about processor, memory, Winsock data, etc Connection Monitor- displays information about current TCP and UDP network connections NetBIOS Info- gets NetBIOS information about network interfaces (local and remote computers) NB Scanner- shared resources scanner SNMP Scanner- scans network(s) for SNMP enabled devices Name Scanner- scans all hostnames within a range of IP addresses Port Scanner- scans network(s) for active TCP based services UDP Scanner- scans network(s) for active UDP based services
IP Tools (Continue)
Ping Scanner- pings a remote hosts over the network Trace- traces the route to a remote host over the network WhoIs- obtains information about a Internet host or domain name from the NIC (Network Information Center) Finger- retrieves information about user from a remote host LookUp- looks for domain names according to its IP address or an IP address from its domain name GetTime- gets time from time servers (also it can set correct time on local system) Telnet- telnet client HTTP- HTTP client IP-Monitor- shows network traffic in real time (as a set of charts) Host Monitor- monitors up/down status of selected hosts. Trap Watcher- allows you to receive and process SNMP Trap messages.
Features:: >Pings computers and displays those alive. >Detects hardware MAC-addresses, even across routers. >Detects hidden shared folders and writable ones. >Detects your internal and external IP addresses. >Scans for listening TCP ports, some UDP and SNMP services. >Retrieves currently logged-on users, configured user accounts, uptime, etc. >You can mount and explore network resources. >Can launch external third party applications. >Exports results to HTML, XML, CSV and TXT >Supports Wake-On-LAN, remote shutdown and sending network messages. >Retrieves potentially any information via WMI. >Retrieves information from remote registry, file system and service manager.
Enumeration Ports
telnet ip_address 21 (Banner grab) Run command ftp ip_address ftp@example.com Check for anonymous access
Password guessing
MiTM
SMTP TCP 25 version of popular SMTP server software sendmail greater than 8 offer syntax that can be embeded in the mail.cf file to disable or acquire authentication for VRFY and EXPN commands Has two comands VRFY and EXPN which reveals the actual delivery addresses of aliases and mailing list Eg telnet 10.219.100.1 25
Sendmail Port 25 open Fingerprint server telnet ip_address 25 (banner grab) Mail Server Testing Enumerate users VRFY username (verifies if username exists - enumeration of accounts) EXPN username (verifies if username is valid - enumeration of accounts) Mail Spoof Test HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT Mail Relay Test HELO anything Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain> Unknown domain - mail from: <user@unknown_domain> Domain not present - mail from: <user@localhost> Domain not supplied - mail from: <user> Source address omission - mail from: <> rcpt to: <nobody@recipient_domain> Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain> Use double quotes - mail from: <user@domain> rcpt to: <"user@recipentdomain"> User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]> Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain> Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]> Examine Configuration Files - sendmail.cf, submit.cf
host
host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as t ANY. -l Zone transfer (if allowed). -f Save to a specified filename. nslookup [ -option ... ] [ host-to-find | - [ server ]] dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
nslookup
dig
whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup Bile Suite
perl perl perl perl perl perl perl perl
DNS Enumeration
BiLE.pl [website] [project_name] BiLE-weigh.pl [website] [input file] vet-IPrange.pl [input file] [true domain file] [output file] <range> vet-mx.pl [input file] [true domain file] [output file] exp-tld.pl [input file] [output file] jarf-dnsbrute [domain_name] (brutelevel) [file_with_names] qtrace.pl [ip_address_file] [output_file] jarf-rev [subnetblock] [nameserver]
txdns
txdns -rt -t domain_name txdns -x 50 -bb domain_name txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
tftp ip_address PUT local_file tftp ip_address GET conf.txt (or other files) Solarwinds TFTP server tftp i <IP> GET /etc/passwd (old Solaris) TFTP bruteforcer Cisco-Torch
TFTP Bruteforcing
TFTP, TCP/UDP 69 trivial file transfer protocol for unauthenticated file transfers using UDP port 69 $tftp 192.168.202.34 tftp>get /etc/passwd /tmp/passwd.cracklater tftp>quit
Finger, TCP/UDP 79
Finger Port 79 open User enumeration
finger finger finger finger finger finger finger finger
'a b c d e f g h' @example.com admin@example.com user@example.com 0@example.com .@example.com **@example.com test@example.com @example.com
Command execution
finger "|/bin/id@example.com" finger "|/bin/ls -a /@example.com"
Finger Bounce
finger user@host@victim finger @internal@externa
All
firecat
Specific
add n edit cookies asnumber header spy live http headers shazou web developer
Crawl website
lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links source httprint Metagoofil
Nikto
Enum
enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> net use \\192.168.1.1\ipc$ "" /u:""
Null Session
Smbclient
Superscan
Enumeration tab.
user2sid/sid2user Winfo
Enum
enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> net use \\192.168.1.1\ipc$ "" /u:""
Null Session
Smbclient
Superscan
Enumeration tab.
user2sid/sid2user Winfo
Enum
enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> net use \\192.168.1.1\ipc$ "" /u:""
Null Session
Smbclient
Superscan
Enumeration tab.
user2sid/sid2user Winfo
The BGP protocol uses IP network addresses and ASNs exclusively. The ASN is a 16-bit integer that an organization purchases from ARIN to identify itself on the network. You can think of an ASN as an IP address for an organization. Because you cannot execute commands on a router using a company name, the first step is to determine the ASN for an organization. There are two techniques to do this, depending on what type of information you have. One approach, if you have the company name, is to perform a whois search with the ASN keyword Alternatively, if you have an IP address for the organization, you can query a router and use the last entry in the AS Path as the ASN. For example, you can telnet to a public router and perform the following commands:
C:>telnet route-views.oregon-ix.net User Access Verification Username: rviews route-views.oregon-ix.net>show ip bgp 63.79.158.1 BGP routing table entry for 63.79.158.0/24, version 7215687 Paths: (29 available, best #14) Not advertised to any peer 8918 701 16394 16394 212.4.193.253 from 212.4.193.253 (212.4.193.253) Origin IGP, localpref 100, valid, external
ldapminer
ldapminer -h ip_address -p port (not required if default) -d Gui based tool Gui based tool ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...] ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn] ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O securityproperties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
luma
ldp
openldap
bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
V3.sas.oc msadClassesAttrs.ldif
nsslapd.sas_at.conf nsslapd.sas_oc.conf
slapd.sas_at.conf slapd.sas_oc.conf 75sas.ldif
Microsoft Windows is not alone with its null session holes. Novells NetWare has a similar problemactually its worse. Novell practically gives up the information farm, all without authenticating to a single server or tree. Old NetWare 3.x and 4.x servers (with Bindery Context enabled) have what can be called the Attach vulnerability, allowing anyone to discover servers, trees, groups, printers, and usernames without logging into a single server. See the reference for how easily this is done and recommendations for plugging up these information holes.
Like any network resource, applications need to have a way to talk to each other over the wires. One of the most popular protocols for doing just that is Remote Procedure Call (RPC). RPC employs a service called the portmapper (now known as rpcbind) to arbitrate between client requests and ports that it dynamically assigns to listening applications. Despite the pain it has historically caused firewall administrators, RPC remains extremely popular. The rpcinfo tool is the equivalent of finger for enumerating RPC applications listening on remote hosts and can be targeted at servers found listening on port 111 (rpcbind) or 32771 (Suns alternate ortmapper) in previous scans:
[root$]rpcinfo p 192.168.202.34 program vers proto port 100000 2 tdp 111 rusersd 100002 3 udp 712 rusersd 100011 2 udp 754 rquotad 100005 1 udp 635 mountd 100003 2 udp 2049 nfs 100004 2 tcp 778 ypserv
This tells attackers that this host is running rusersd, NFS, and NIS (ypserv is the NIS server). Therefore, rusers, showmount -e, and pscan n will produce further information (see reference for more tools and discussion). The pscan tool can also be used to enumerate this info by use of the -r switch.
sqlping ip_address/hostname
with NFS share and try to add/delete Exploit and Confuse Unix
4.0 REFERENCES Harry Newton, Newtons Telecom Dictionary, CMP Books, New York, NY, 2002. http://www.phenoelit-us.org/dpl/dpl.html
Postel, John. "RFC 793". Retrieved 29 June 2012. "Port Numbers". Internet Assigned Numbers Authority (IANA).
http://en.wikipedia.org/wiki/List_of_TCP_a nd_UDP_port_numbers
Ieee xplore digital library, Cavendish, D. C&C Res. Communications Magazine, Labs., USA Volume: 38, Issue: 6, Pages: 164 172 http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber =846090&url=http%3A%2F%2Fieeexplore.ieee.org% 2Fiel5%2F35%2F18353%2F00846090.pdf%3Farnum ber%3D846090 Gigabit Ethernet for Metro Area Networks, Paul Bedell. 2003. Page 329. Dale Barr, JR., Peter M. Fonash: Internet Protocol over Optical Transport Networks; National Communication Technologies, Inc. Dec 2003. Page 9, 43 to 47.
G.7712, Vertel Supports, Latest Optical Network Management Standard, Embedded Stars, last accessed 23 September 2006. http://www.embeddedstar.com/press/content/2003/3/e mbedded7896.html, ECI Lightsoft Network Management Solutions General Description Handbook, 2nd Edition, ECI, June 2006. Page 64. Making Ethernet over SONET, D. Frey, F. Moore, A Transport Network Operations Model, Proceedings NFOEC, 2003. Page 29.
Interne: http://www.phenoelitus.org/dpl/dpl.html
Telecommunications Industry Association (TIA): www.tiaonline.org International Electrical Electronic Engineers (IEEE) www.ieee.org
THANK YOU